Protocol based detection of suspicious network traffic

Abstract

Embodiments of the present invention relate to identification of suspicious network traffic indicative of a Botnet and/or an Advanced Persistent Threat (APT) based on network protocol of such traffic. According to one embodiment, a traffic file is received at a network security device that is protecting a private network. The traffic file contains therein network traffic associated with the private network that has been captured and stored. The received traffic file is processed by the network security device to determine whether the network traffic relates to a network protocol that is indicative of existence of a network security threat within the private network. When existence of the network security threat is detected, then the network security device reports details regarding the network security threat.

Description

COPYRIGHT NOTICE[0001]Contained herein is material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction of the patent disclosure by any person as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all rights to the copyright whatsoever. Copyright © 2015, Fortinet, Inc.BACKGROUND[0002]Field[0003]Embodiments of the present invention generally relate to the field of network security. More particularly, embodiments of the present invention relate to identification of suspicious network traffic indicative of a Botnet and / or an Advanced Persistent Threat (APT) based on characteristics of the traffic (e.g., the protocol used, the source or destination port and / or the source or destination address).[0004]Description of the Related Art[0005]Existing web-based applications / solutions allow users to visit a website using a variety of web browsers, e.g., Internet Explorer, Mozilla Firefox, Google Ch...

AI Technical Summary

Benefits of technology

[0009]Embodiments of the present invention relate to identification of suspicious network traffic indicative of the existence of a Botnet and / or an Advanced Persistent Threat (APT). According to one embodiment, a traffic file is received at a network security device that is protecting a private network. The traffic file contains therein network traffic associated with the private network that has been captured and stored. The received traffic file is processed by the network security device to determine whether the network traffic relates to a network protocol that is indicative of existence of a network security threat within the private network. When existence of the network security threat is detected, then the network security device reports details regarding the network security threat.

Problems solved by technology

APTs are generally slow, deliberate, and secret in action or character and hence require a prolonged duration of operation in order to be successful.

Both botnets and APTs have now become significant threats to personal and corporate security.

There is an ever growing volume of malware, making it challenging for Anti Virus (AV) engines to detect them within a reasonable time.

Images